Preliminary discussion: DB alias entries

Sam Hartman hartmans at MIT.EDU
Fri Mar 13 10:54:32 EDT 2009

>>>>> "Luke" == Luke Howard <lukeh at> writes:

    >> I meant to ask about this for some time, but always postponed
    >> to gather some more info before asking :/ I tested a while back
    >> if renaming users (changing krbPrincipalName via ldapmodify)
    >> would work, and it didn't (I had to reset the secret as well
    >> every time). I assume the fix you did would also resolve this
    >> issue, it would be very cool.

    Luke> Right, it should work; the salt should be stored with the
    Luke> key, independently of the principal name, and if necessary
    Luke> returned to the client in an ETYPE-INFO[2]. Things are a
    Luke> little more complicated for service principals, but
    Luke> hopefully their names are less likely to change.

Our code doesn't store salts like that.
kadmind could be changed to do so.

More information about the krbdev mailing list